Tài liệu Hacking Exposed Computer Forensics, Second Edition pot

I picked up several new tricks from this book, which I am already putting to use.” —Monty McDougal, Raytheon Information Security Solutions, and author of the Windows Forensic Toolchest

HACKING EXPOSED COMPUTER FORENSICS

SECOND EDITION

REVIEWS

“This book provides the right mix of practical how-to knowledge in a straightforward, informative fashion that ties all the complex pieces together with real-world case studies With so many books on the topic of computer forensics,

Hacking Exposed Computer Forensics, Second Edition, delivers the most valuable

insight on the market The authors cut to the chase of what people must understand

to effectively perform computer forensic investigations.”

—Brian H Karney, COO, AccessData Corporation

“Hacking Exposed Computer Forensics is a ‘must-read’ for information security

professionals who want to develop their knowledge of computer forensics.”

—Jason Fruge, Director of Consulting Services, Fishnet Security

valuable reference, useful to both beginning and seasoned forensic professionals I

picked up several new tricks from this book, which I am already putting to use.”

—Monty McDougal, Raytheon Information Security Solutions, and author of

the Windows Forensic Toolchest (WFT) (www.foolmoon.net)

“Hacking Exposed Computer Forensics, Second Edition, is an essential reference for

both new and seasoned investigators The second edition continues to provide valuable information in a format that is easy to understand and reference.”

—Sean Conover, CISSP, CCE, EnCE

“This book is an outstanding point of reference for computer forensics and

certainly a must-have addition to your forensic arsenal.”

—Brandon Foley, Manager of Enterprise IT Security, Harrah’s Operating Co.

“Starts out with the basics then gets DEEP technically The addition of IP theft and

fraud issues is timely and make this second edition that much more valuable This

is a core book for my entire forensics group.”

—Chris Joerg, CISSP CISA/M, Director of Enterprise Security,

Mentor Graphics Corporation

“A must-read for examiners suddenly faced with a Mac or Linux exam after spending the majority of their time analyzing Windows systems.”

—Anthony Adkison, Criminal Investigator and Computer Forensic Examiner,

CFCE/EnCE

“This book is applicable to forensic investigators seeking to hone their skills, and

it is also a powerful tool for corporate management and outside counsel seeking to

limit a company’s exposure.”

—David L Countiss, Esq., partner, Seyfarth Shaw LLP

“I have taught information security at a collegiate level and in a corporate setting for many years Most of the books that I have used do not make it easy for the student to learn the material This book gives real-world examples, various product comparisons, and great step-by-step instruction, which makes

learning easy.”

—William R Holland, Chief Security Officer, Royce LLC

HACKING EXPOSED COMPUTER FORENSICS

ISBN: 978-0-07-162678-1

MHID: 0-07-162678-6

The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-162677-4, MHID: 0-07-162677-8.

All trademarks are trademarks of their respective owners Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trade- mark Where such designations appear in this book, they have been printed with initial caps.

McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs To contact a representative please e-mail us at bulksales@mcgraw-hill.com.

Information has been obtained by McGraw-Hill from sources believed to be reliable However, because of the possibility of human or mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

TERMS OF USE

This is a copyrighted work and The McGraw-Hill Companies, Inc (“McGraw-Hill”) and its licensors reserve all rights in and to the work Use of this work is subject to these terms Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, trans- mit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited Your right to use the work may be terminated if you fail to comply with these terms.

THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS

TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom McGraw-Hill has no responsibility for the content of any information accessed through the work Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the pos- sibility of such damages This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.

Austin, for making me what I am and showing me what I

can be Hook ‘em Horns!

—Aaron

To my daughter, I can’t wait to meet you To my wife, thank you for supporting me through the second edition To my mom and dad, thank you for your enthusiasm for a book you will never read To my friends at G-C, thank you for all the hard work.

—Dave

Aaron Philipp

Aaron Philipp is a managing consultant in the Disputes and Investigations practice

at Navigant Consulting, which assists domestic and global corporations and their counsel who face complex and risky legal challenges In this capacity, he provides consulting services in the fields of computer forensics and high-tech investigations

Mr Philipp specializes in complex computer forensic techniques such as identification and tracing of IP theft, timeline creation, and correlation relating to multiparty fraud and reconstruction of evidence after deliberate data destruction has

occurred that would nullify traditional computer forensic methodology Mr Philipp was

previously Managing Partner of Affect Computer Forensics, a boutique forensics firm

based in Austin, Texas, with offices in Dallas, Texas, and Hong Kong Affect’s clients

include the nation’s top law firms, FORTUNE 500 legal departments, and government

investigatory agencies In addition, Mr Philipp is a regular speaker at technology and

legal conferences around the world He has been internationally recognized for his work,

with citations of merit from the governments of Taiwan and South Africa Mr Philipp

has a B.S in computer science from The University of Texas at Austin

David Cowen, CISSP

David Cowen is the co-author of the best-selling Hacking Exposed Computer Forensics and the Anti-Hacker Toolkit, Third Edition Mr Cowen is a Partner at G-C Partners,

LLC, where he provides expert witness services and consulting to Fortune 500 companies nationwide Mr Cowen has testified in cases ranging from multimillion-dollar intellectual property theft to billion-dollar antitrust claims Mr Cowen has over 13 years of industry experience in topics ranging from information security to computer forensics

engineering technologies from Thomas Edison and a master’s in business from The University of Texas at Austin Mr Davis served eight years in the U.S Naval

Submarine Fleet, onboard the special projects Submarine NR-1 and the USS Nebraska

About the Contributing Authors

multifaceted damages calculations, especially where complex databases and business

systems are involved Prior to joining Navigant Consulting, Mr Lester was a director in

the Financial Advisory Services practice of PricewaterhouseCoopers He holds a

bachelor’s of business administration in finance/international business, a B.A in biology,

and an MBA from The University of Texas

Jean Domalis has over eight years of investigative experience, focusing on digital forensic techniques in the areas of IP theft, corporate espionage, embezzlement, and

securities fraud Ms Domalis was previously a senior consultant with Navigant

Consulting, where she participated as a key member of teams undertaking multinational

forensic investigations in the United States, Canada, and Asia Ms Domalis came to

Navigant with the acquisition of Computer Forensics, Inc., one of the nation’s premier

computer forensics boutique firms Ms Domalis attended the University of

Washington

John Loveland specializes in providing strategic counsel and expert witness services

on matters related to computer forensic investigations and large end-to-end discovery

matters He has over 18 years of experience in consulting multinational corporations

and law firms and has led or contributed to over 100 investigations of electronic data

theft and computer fraud and abuse and to the collection of electronic evidence from

hard drives, backup tapes, network servers, cell phones and BlackBerries, and other

storage media Mr Loveland was the founder and president of S3 Partners, a computer

forensics firm based in Dallas, which was acquired by Fios, Inc., in 2003 He is currently

managing director in the Computer Forensics and Electronic Discovery Services practice

for Navigant Consulting in Washington, D.C and oversees the practice’s operations in

the Mid-Atlantic region

David Dym has been a private computer forensics consultant for several years, providing services at G-C Partners, LLC Forensic services have included evidence

collection, recovery, and analysis for clients of top firms in the United States as well

as companies in the banking and mining industry Mr Dym has over nine years

of experience with programming, quality assurance, enterprise IT infrastructure, and

has experience with multiple network, database, and software security initiatives

Mr Dym has built and managed multiple teams of programmers, quality assurance

testers, and IT infrastructure administrators He has participated in dozens of projects to

develop and deploy custom-developed business software, medical billing, inventory

management, and accounting solutions

Rudi Peck has been a private computer forensic consultant for the last several years providing services at G-C Partners, LLC Forensic services have included evidence

collection, recovery, and analysis for clients of several top firms in the United States as

well as companies in the banking industry Mr Peck has over a decades worth of

experience in programming, software production, and test engineering with an extensive

background in Window’s security Mr Peck has designed several security audit tools for

forensic consultants He has also developed computer forensic curriculum currently

being taught to both private sector and law enforcement investigators Mr Gorgal has

taught information security at Southern Methodist University, the University of California

at Los Angeles, and the National Technological University

Peter Marketos is a partner at Haynes and Boones, LLP, who practices commercial litigation in the firm’s Dallas office He represents clients as both plaintiffs and defendants

in business disputes from trial through appeal Mr Marketos has tried many cases to

juries and to the bench, obtaining favorable verdicts in disputes involving corporate

fraud, breach of contract, breach of fiduciary duty, and theft of trade secrets He has

developed substantial expertise in the discovery and analysis of electronic evidence

through the use of technology and computer forensics

Andrew Rosen is president of ASR Data Acquisition & Analysis, LLC He offers unique litigation support services to the legal, law enforcement, and investigative

communities With over a decade of experience in the recovery of computer data and

forensic examination, Mr Rosen regularly provides expert testimony in federal and state

courts Along with training attorneys and law enforcement officials in computer

investigation techniques, Mr Rosen frequently speaks and writes on emerging matters

in the field He has a worldwide reputation for developing cutting-edge computer-crime

investigative tools and is frequently consulted by other professionals in the industry

About the Technical Editor

Louis S Scharringhausen, Jr., is the director of Digital Investigations for Yarbrough

Strategic Advisors in Dallas, Texas, where he is responsible for directing, managing, and

conducting digital investigations and electronic discovery projects Mr Scharringhausen

was a special agent for the U.S Environmental Protection Agency’s Criminal

Investigation Division (USEPA-CID) for ten years, conducting complex, large-scale

environmental investigations For five of those years, he was a team leader for

USEPA-CID’s prestigious National Computer Forensics Laboratory-Electronic Crimes Team,

conducting forensic acquisitions and analysis in support of active investigations After

leaving the public sector in January 2007, Mr Scharringhausen worked with Navigant

Consulting, Inc., where he was an integral part of a digital forensics team that focused on

fraud and intellectual property investigations before coming to Yarbrough Strategic

Advisors He has participated in numerous training sessions for Guidance Software,

Access Data, the National White Collar Crimes Center, and the Federal Law Enforcement

Training Center, among others He holds the EnCase Certified Examiner endorsement

(EnCE) and a B.S in environmental science from Metropolitan State College of Denver

AT A GLANCE

▼ 1 The Forensics Process 5

▼ 2 Computer Fundamentals 19

▼ 3 Forensic Lab Environment Preparation 41

Part II Collecting the Evidence ▼ 4 Forensically Sound Evidence Collection 63

▼ 5 Remote Investigations and Collections 97

Part III Forensic Investigation Techniques ▼ 6 Microsoft Windows Systems Analysis 131

▼ 7 Linux Analysis 161

▼ 8 Macintosh Analysis 175

▼ 9 Defeating Anti-forensic Techniques 197

▼ 10 Enterprise Storage Analysis 221

▼ 11 E-mail Analysis 239

▼ 12 Tracking User Activity 273

▼ 13 Forensic Analysis of Mobile Devices 303

Part IV Presenting Your Findings

▼ 14 Documenting the Investigation 341

▼ 15 The Justice System 357

Part V Putting It All Together ▼ 16 IP Theft 369

▼ 17 Employee Misconduct 393

▼ 18 Employee Fraud 417

▼ 19 Corporate Fraud 435

▼ 20 Organized Cyber Crime 453

▼ 21 Consumer Fraud 471

▼ A Searching Techniques 493

▼ Index 499

Acknowledgments xix

Introduction xxi

Part I Preparing for an Incident Case Study: Lab Preparations 2

Cashing Out 2

Preparing for a Forensics Operation 2

▼ 1 The Forensics Process 5

Types of Investigations 6

The Role of the Investigator 9

Elements of a Good Process 12

Cross-validation 12

Proper Evidence Handling 13

Completeness of Investigation 13

Management of Archives 13

Technical Competency 13

Explicit Defi nition and Justifi cation for the Process 14

Legal Compliance 14

Flexibility 14

Collection and Preservation 16

Analysis 17

Production and Presentation 17

After the Investigation 18

▼ 2 Computer Fundamentals 19

The Bottom-up View of a Computer 20

It’s All Just 1s and 0s 20

Learning from the Past: Giving Computers Memory 22

Basic Input and Output System (BIOS) 24

The Operating System 25

The Applications 25

Types of Media 25

Magnetic Media 26

Optical Media 35

Memory Technologies 37

▼ 3 Forensic Lab Environment Preparation 41

The Ultimate Computer Forensic Lab 42

What Is a Computer Forensic Laboratory? 42

Forensic Lab Security 43

Protecting the Forensic Lab 44

Forensic Computers 48

Components of a Forensic Host 48

Commercially Available Hardware Systems 51

Do-It-Yourself Hardware Systems 51

Data Storage 52

Forensic Hardware and Software Tools 53

Using Hardware Tools 53

Using Software Tools 54

The Flyaway Kit 55

Case Management 56

Bonus: Linux or Windows? 59

Part II Collecting the Evidence Case Study: The Collections Agency 62

Preparations 62

Revelations 62

Step 2: Remove the Drive(s) from the Suspect System 65

Step 3: Check for Other Media 66

Step 4: Record BIOS Information 66

Step 5: Forensically Image the Drive 66

Step 6: Record Cryptographic Hashes 92

Step 7: Bag and Tag 93

Move Forward 93

Common Mistakes in Evidence Collection 94

▼ 5 Remote Investigations and Collections 97

Privacy Issues 98

Remote Investigations 99

Remote Investigation Tools 100

Remote Collections 112

Remote Collection Tools 113

The Data Is Changing 122

Policies and Procedures 122

Encrypted Volumes or Drives 122

USB Thumb Drives 125

Part III Forensic Investigation Techniques Case Study: Analyzing the Data 128

Digging for Clues 128

We’re Not Done Yet 128

Finally 129

▼ 6 Microsoft Windows Systems Analysis 131

Windows File Systems 132

Master Boot Record 132

FAT File System 132

NTFS 136

Recovering Deleted Files 138

Limitations 149

Windows Artifacts 150

▼ 7 Linux Analysis 161

The Linux File System (ext2 and ext3) 162

ext2 Structure 162

ext3/ext4 Structure 165

Linux Swap 166

Linux Analysis 166

▼ 8 Macintosh Analysis 175

The Evolution of the Mac OS 176

Looking at a Mac Disk or Image 178

The GUID Partition Table 179

Partition Entry Array 180

Deleted Files 186

Recovering Deleted Files 189

Concatenating Unallocated Space 189

Scavenging for Unindexed Files and Pruned Nodes 190

A Closer Look at Macintosh Files 192

Archives 192

Date and Time Stamps 192

E-mail 192

Graphics 193

Web Browsing 193

Resources 193

Virtual Memory 194

System Log and Other System Files 194

Mac as a Forensics Platform 195

▼ 9 Defeating Anti-forensic Techniques 197

Obscurity Methods 198

Privacy Measures 205

Encryption 205

The General Solution to Encryption 211

Wiping 212

▼ 10 Enterprise Storage Analysis 221

The Enterprise Data Universe 222

Rebuilding RAIDs in EnCase 223

Rebuilding RAIDs in Linux 223

Working with NAS Systems 224

Working with SAN Systems 225

Working with Tapes 226

Accessing Raw Tapes on Windows 227

Accessing Raw Tapes on UNIX 228

Commercial Tools for Accessing Tapes 229

Collecting Live Data from Windows Systems 231

Full-Text Indexing 231

Mail Servers 234

Client-based E-mail 243

Web-Based E-mail 261

Internet-Hosted Mail 261

Investigating E-mail Headers 267

▼ 12 Tracking User Activity 273

Microsoft Offi ce Forensics 274

Tracking Web Usage 283

Internet Explorer Forensics 283

Firefox/Mozilla Forensics 291

Operating System User Logs 298

UserAssist 298

▼ 13 Forensic Analysis of Mobile Devices 303

Collecting and Analyzing Mobile Device Evidence 305

Password-protected Windows Devices 331

Conclusion 338

Part IV Presenting Your Findings Case Study: Wrapping Up the Case 340

He Said, She Said… 340

▼ 14 Documenting the Investigation 341

Read Me 342

Internal Report 343

Construction of an Internal Report 344

Declaration 346

Construction of a Declaration 347

Affi davit 350

Expert Report 351

Construction of an Expert Report 352

▼ 15 The Justice System 357

The Criminal Court System 358

The Civil Justice System 359

Phase One: Investigation 360

Phase Two: Commencing Suit 360

Phase Three: Discovery 361

Phase Four: Trial 364

Expert Status 364

Expert Credentials 364

Court-Appointed Expert 365

Expert Interaction with the Court 365

Part V Putting It All Together Case Study: Now What? 368

Mr Blink Becomes an Investigator 368

Time to Understand the Business Issues 368

▼ 16 IP Theft 369

What Is IP Theft? 370

IP Theft Ramifi cations 371

Loss of Customers 372

Loss of Competitive Advantage 372

Monetary Loss 372

Types of Theft 373

Technology 378

Tying It Together 389

What Was Taken? 389

Looking at Intent 390

Estimating Damages 390

Working with Higher-Ups 391

Working with Outside Counsel 392

▼ 17 Employee Misconduct 393

What Is Employee Misconduct? 394

Ramifi cations 395

Disruptive Work Environment 395

Investigations by Authorities 396

Lawsuits Against an Employer 396

Monetary Loss 397

Types of Misconduct 398

Inappropriate Use of Corporate Resources 399

Making Sense of It All 402

Employment Discrimination/Harassment 404

Violation of Non-compete/Non-solicitation Agreements 407

Tying It Together 412

What Is the Risk to the Company? 413

Looking at Intent 413

▼ 18 Employee Fraud 417

What Is Employee Fraud? 418

Ramifi cations 419

Monetary Loss 419

Investigations by Authorities 419

Criminal Penalties and Civil Lawsuits 420

Types of Employee Fraud 420

Asset Misappropriation 421

Corruption 427

Tying It Together 432

What Is the Story? 432

Estimating Losses 433

Working with Higher-Ups 433

Working with Outside Counsel and Investigators 434

▼ 19 Corporate Fraud 435

What Is Corporate Fraud? 437

Ramifi cations 437

Impact to Shareholders and the Public 437

Regulatory Changes 438

Investigations and Litigation 439

Types of Corporate Fraud 439

Accounting Fraud 440

Securities Fraud 444

▼ 20 Organized Cyber Crime 453

The Changing Landscape of Hacking 454

The Russian Business Network 455

Infrastructure and Bot-Nets 455

The Russian-Estonian Confl ict 456

Effects on Western Companies 456

Types of Hacks and the Role of Computer Forensics 457

Bot/Remote Control Malware 457

Traditional Hacks 463

Money Laundering 465

Anti-Money Laundering Software 465

The Mechanics of Laundering 466

The Role of Computer Forensics 467

▼ 21 Consumer Fraud 471

What Is Consumer Fraud? 473

Ramifi cations 473

Types of Consumer Fraud 475

Identity Theft 475

Investment Fraud 482

Mortgage Fraud 486

Tying It Together 491

▼ A Searching Techniques 493

Regular Expressions 494

Theory and History 494

The Building Blocks 494

Constructing Regular Expressions 495

▼ Index 499

“A good writer possesses not only his own spirit but also the spirit of his friends.”

—Friedrich Nietzsche

We simply could not have done this without the help of many, many people It was

an amazing challenge to coordinate the necessary depth of corporate, legal, criminal, and

technical expertise across so many subjects Many old and new friends donated

knowledge, time, techniques, tools, and much more to make this project a success We

are truly grateful to each of you

The wonderful and overworked team at McGraw-Hill is outstanding We sincerely appreciate your dedication, coaching, and long hours during the course of this project

Jane Brownlow, this book is a result of your tireless dedication to the completion of this

project You are truly one of the best in the business We would also like to extend a big

round of thanks to Joya Anthony, our acquisition coordinator and honorary coxswain

Thanks to LeeAnn Pickrell for seeing us through to the finish line

A special thank you goes to Jean Domalis, Todd Lester, John Loveland, and Louis Scharringhausen for their contributing work and thorough reviews Jean, as always,

your work is fantastic You truly play to a standard in everything you do and it shows

Todd, you went above and beyond and the book is a world better for it John, thank you

for the vision and strategic input on the structure of the new sections Louis, your

attention to detail and desire to know the right answer is a huge asset You were a fantastic

for their assistance with the research on the new sections Also, a special note of thanks

to Kris Swanson and Todd Marlin for ideas and guidance throughout both this book and our other case work

John, Jean, and Louis, I am proud to say that we were on the same team You guys are great John, you have always had my back, and I have learned a ton from you Here is to success and building it the right way

To Susan and Lauren, I cannot express my gratitude enough for your patience with

me as Todd and I worked on the book weekend after weekend Todd, thanks for

everything, not just the book You do the Longhorn nation proud and I will beat you one

of these years at the Shiner GASP Na zdorov’e

Thanks to Fr Patrick Johnson for all the sage advice and for reminding me of the importance of balance in life St Austin Catholic Parish in Austin, Texas, has truly become

an anchor in my life

Thanks to Chris Sweeny, Jonathan McCoy, and all of my teammates and brothers on the University of Texas Rugby Team You taught me mental toughness, brotherhood, the value of perseverance, and how to never give up

Thanks to Larry Leibrock and David Burns for introducing me to forensics and treating me so well while I was at the McCombs School of Business And to every one of

my computer science professors for showing me how much I still have to learn

A huge thank you to Robert Groshon and Bradley O Brauser for believing in me all those years ago

Thanks to Peggy Cheung for being such a great friend Your selling me the 2006 Rose Bowl tickets at face value goes as one of the greatest demonstrations of friendships I have ever witnessed I am very sorry I stopped texting you game updates in the third quarter, and I still have no idea how much that phone call to Hong Kong cost me

Finally, I would like to give another thank you to my family, my mother and father who gave me my first computer when I was seven, and my sister Renee

—Aaron Philipp

“This is not an incident response handbook.” This was the first line of the introduction

for the first edition Little did we know at the time how much computer forensics would

change since the book was first published in 2004 Computer forensics is changing the

way investigations are done, even investigations previously thought to be outside the

four corners of technology investigations

If you look at what happened with the economy in 2008 and 2009, the subprime mortgage meltdown, the credit crisis, and all of the associated fraud that has been

uncovered, you can see the vital role that computer forensics plays in the process Before

the prevalence of technology in corporations, all investigators had to go on were paper

documents and financial transactions With the addition of computer forensics as a tool,

we can better identify not only what happened at a certain point in time, but also, in

some cases, the intent of the individuals involved Multibillion-dollar fraud schemes are

being blown open by the discovery of a single e-mail or thumb drive Computer forensics

is front and center in changing the way these investigations are conducted

HOW THIS BOOK IS ORGANIZED

We have broken this book into five parts, reflective of the different stages of the

investigation

Part I: Preparing for an Incident

This section discusses how to develop a forensics process and set up the lab environment

needed to conduct your investigation in an accurate and skillful manner In addition, it

lays the technical groundwork for the rest of the book

Part II: Collecting the Evidence

Part III: Forensic Investigation Techniques

This section illustrates how to apply recovery techniques to investigations from the evidence you have collected across many platforms and scenarios found in corporate settings We introduce field-tested methods and techniques for recovering suspect activities

Part IV: Presenting Your Findings

The legal environment of technical forensics is the focus of this section We discuss how you will interact with council, testify in court, and report on your findings In many ways, this is the most important part of the forensics process

Part V: Putting It All Together

This section is all about the application of what we’ve discussed in the earlier parts of the book We look at different types of investigations through the lens of computer forensics and how it can help create the bigger picture

The Basic Building Blocks: Attacks and Countermeasures

This format should be very familiar to anyone who has read a Hacking Exposed book

before How we define attacks and countermeasures for forensics, however, is a bit different than in past books

This is an attack icon.

In previous Hacking Exposed books, this icon was used to denote a type of attack that

could be launched against your network or target In this book, the attack icon relates to procedures, techniques, and concerns that threaten to compromise your investigation

For instance, failing to properly image a hard drive is labeled an attack with a very high risk rating This is because you are going to see it often; it is not difficult to create an image, and if you accidentally write to the disk when you are imaging, your whole investigation may be compromised, no matter what else you do correctly

Popularity: The frequency with which you will run across this attack or technique in

an investigation—1 being most rare and 10 being widely seen.

Simplicity: The effort or degree of skill involved in creating an attack or technique—1

being quite high and 10 being little or involving no effort or skill

Impact: The potential damage to an investigation if you miss this detail—1 being

This is a countermeasure icon.

In this book, the countermeasure icon represents the ways that you can ensure correct completion of the investigation for the attack In our hard drive example, this would mean correctly hashing the drive and verifying the hash after you have taken the image

Other Visual Aides

We have also made use of several other visual icons that help point out fine details or gotchas that are frequently overlooked

ONLINE RESOURCES

Forensics is a constantly changing field In addition, there are things we weren’t able

to include because they were outside the scope of the book For these reasons, we have created a Web site that contains additional information, corrections for the book, and electronic versions of the things discussed in these pages The URL is www.hackingexposedforensics.com

In addition, if you have any questions or comments for the authors, feel free to e-mail

us at authors@hackingexposedforensics.com

We hope that you visit the Web site to keep up-to-date with the content in the book and the other things we think are useful E-mail us if you have any questions or comments;

we’d love to hear from you

A FINAL WORD TO OUR READERS

As we said in the first edition, this book is about what happens after the incident response has taken place and during the nights of prolonged investigation to find the truth When

we wrote the first edition of the book, we had a fundamental tenet: Write a clear handbook

applied properly, computer forensics applies a new level of transparency and accountability to traditional investigations that we haven’t seen in the past It is our sincere hope that this book can assist, even if in a very small way, this transparency and accountability take root.

That being said, we hope you enjoy reading this book as much as we did writing it

Thank you for taking the time to read what we have to say and good luck in all your investigations!

—The Authors

Prep aring for

an Incident

Started near the end of the tech bubble, the company’s early days were a long way from

the glitzy, go-go days of the dot.com heydays with fancy offices with $1000 Herman

Miller chairs and product launch parties featuring the Dave Matthews Band No,

AcmeTech’s early days could be described best as “scrappy.” But the company succeeded

where others failed primarily because it had what many didn’t: a “killer app.” It also had

an aggressive salesperson who did his best to ensure that every Fortune 500 CIO had

seen the application and wanted it

Seven years later, that one application had grown into a suite of applications and the company’s sales force had grown to 100 sales representatives in 10 countries Leading

the sales team was Herb Gouges, the same salesperson who, by sheer force of personality,

got the company its first customer Herb was now a seasoned veteran and was in high

demand as a technology salesperson While sales were booming, Herb was more than a

little frustrated with AcmeTech management He was one of the initial employees (and

arguably one of its most important), yet he had received only a small amount of company

stock Worse, as the company grew, management reduced Herb’s commissions—fairly

typical of a growing company but still frustrating to Herb He was approached by a

headhunter recruiting for a new technology company with a product competing with

AcmeTech’s Herb liked the product and the company but was concerned with having to

start his sales efforts from scratch While a non-compete agreement prevented him from

soliciting directly from AcmeTech’s customers, Herb knew he could work “behind the

scenes” at his new firm and direct his AcmeTech customers to the new product All he

needed was information: customer lists and data, pricing models, service agreement

templates, and so on

Cashing Out

The plan worked Mr Gouges and a small cadre of helpers compromised more than 60

computers across dozens of locations, and unsuspecting users suffered hundreds of

thousands in monetary damages—these people lost some serious cash

It wasn’t long before the U.S Secret Service got involved and traced the source of the damages to Mr Gouges After capturing the suspect, they further discovered that Herb

was taking advantage of ACME Services’ computers, but they did not yet know how

The Secret Service notified ACME Services quietly to control any potential negative

publicity for the publicly traded company Acting as a silent partner, the Secret Service

coordinated with ACME Services to bring in outside help

In the meantime, the judge released Mr Gouges on bail The story wasn’t over yet

Our team runs a secure lab and a formal case-management system Before we started

on the ACME case, we validated all the tools in the lab and neatly tucked the portable

hardware units into the flyaway kits We were ready to go when the call came to us Our

case-management system lets us handle the case and organize the evidence as it is

returned to the lab We control a large number of systems, tracking where the systems go

and assigning the systems unique numbers with the proper documentation attached

This enables us to compare notes quickly and understand similarities found in multiple

computers

Rapid Response

Our flyaway kit includes a fully portable system with write blockers and extra drive

bays ready to copy data We also carry a standard set of tools and hardware used for our

investigations The standard set helped immensely when we needed to re-create our

working system onto five new computers to handle all the systems we had to image

Having the tools and paperwork ready beforehand was critical to the rapid response

demanded by the customer, especially considering the number of computers we had to

investigate

Solid process controls, training, preparations, and case management allowed us to respond quickly and efficiently Our success in this case depended on our investment in

a deeper understanding of how case operations work and how we could get the system

to tell us the information we needed to know

The Forensics

Process

fo·ren·sics (fə-rə˘n´sĭks, -zĭks) n (used with a sing verb) The use of science and

technology to investigate and establish facts in criminal or civil courts of law

Corporate espionage Illicit images Violations of corporate policy Hacking attempts

Work in information technology for even a short amount of time and you will find yourself dealing with one of these situations When an incident occurs, the inevitable first words from management will be “What happened?” Apply computer forensics correctly and you answer that question in a way that is technically, legally, and analytically sound To meet this goal, a forensics investigator must combine time-tested forensic techniques, legal framework, investigative skill, and cutting-edge technology to determine the facts

Forensics is, first and foremost, a legal process Depending on the investigation, you must understand and apply a vast array of legal concepts and precedents, such as chain

of custody, spoilage of evidence, and dealing with production of evidence in court If this sounds daunting, that’s because it is If the crime is heinous enough, a lawyer will call on you to take the stand and testify about your investigation, your findings, and your qualifications as an investigator If you do not perform the investigation with dedication

to the process, technical details, and legal issues required, the facts that you uncover are useless In the extreme, criminals get away, corporate secrets are leaked, and the investigator is held with a fiduciary responsibility for the mistakes made during the

investigation To put it in more concise terms, Be prepared Have a process, understand

what you know and what you don’t know, and create a list of who to call when the investigation exceeds your knowledge of either the technical or legal issues

TYPES OF INVESTIGATIONS

Determining the type of investigation you are conducting is vital in discerning the correct process to follow Each type of investigation has its own set of pitfalls, and knowing the parameters for the investigation you are conducting will help you avoid them For the purposes of this book, investigations are divided into four main categories: theft of trade secrets, corporate or employee malfeasance, external breach, and civil litigation

Theft of Trade Secrets

Popularity: 10 Simplicity: 10

Risk Rating: 9

or ascertainable, provides a competitive advantage, has been developed at the [company’s]

expense and is the subject of [the company’s] intent to keep it confidential.” A trade secret may be a patent, trademark, or other intellectual property, or it may be something

as simple yet important as a customer list or proposal template The classic example of a trade secret is the formula for Coca-Cola

Trade secrets are protected by law, and employees and other entities are prohibited from stealing them or making them available to the others Despite this prohibition, employee theft of trade secrets is rampant It typically occurs when an employee or a group of employees leave a company to work for a competitor Everyone wants a leg up, and for the employee that might mean taking competitive intelligence to his new employer Depending on the nature of the information taken, this can have serious consequences for the owner of the stolen information in terms of lost customers, contracts, revenues, and so on Because of this, and because most trade secrets today are stored electronically, internal and external forensic investigators deal with this issue more than any other Depending on the nature of the information stolen, these cases can be very fast-moving investigations because of the potentially negative financial impact on the company

While these investigations may start as an internal investigation, they can quickly turn into litigation in the form of temporary restraining orders and lawsuits As a result,

an investigator must assume from the outset that the evidence collected in a theft of trade secrets matter will be ultimately presented in court and should use defensible technical methods and follow appropriate processes

Corporate or Employee Malfeasance

Risk Rating: 6

Investigations into malfeasance on the part of a company, an individual, or a group

of employees can take one of three forms: internal, external such as a governmental investigation, or quasi-internal such as a board of director’s investigation of senior executives These investigations require an element of secrecy, as the suspects are typically active employees who are in violation of the law or corporate policy The simple knowledge that an investigation is occurring would be enough for the suspects to destroy evidence, potentially causing more harm The clandestine nature of these investigations makes them different and challenging Alternative means of evidence collection may be employed to preserve the secrecy of the investigation Forensic activities may take place without the knowledge of the company’s IT department, making the investigation even more complicated And because the information gathered may ultimately end up being

so that it can be used in future civil or criminal litigation.

Civil discovery is less of an investigation and more of a step in the litigation process

Our legal system allows parties to litigation the opportunity to review documents in support of or in refutation of a legal claim This means that if one company sues another, each is entitled to review the other company’s documents that are deemed to be relevant

to the case For example, in the case of a theft of trade secrets, the competitive firm is allowed to review all the evidence collected during the investigation that relates to the theft Forensic investigators may be asked to identify and produce electronic data from their company to comply with a discovery request or review the evidence provided by the opposing company to establish proof of the company’s claim

Determining the Type of Investigation

Knowing the type of case you are dealing with defines how you conduct your investigation

This determination is never as easy as it sounds Cases can escalate in the blink of an eye

You don’t want to get in a situation where evidence has to be thrown out because you took the situation too lightly and didn’t fully think through what type of case you were dealing with Always treat a new case with the same standard procedures you know are tested and true This simple guiding principle, although not followed as often as we’d like

to believe, can save an investigator immeasurable grief down the line

THE ROLE OF THE INVESTIGATOR

What makes a good computer forensics investigator? The ability to be creative in the discovery of evidence, rigorous in the application of a disciplined process, and understanding of the legal issues that are involved every step of the way However, other factors play into the equation, depending on the investigation’s context Stories of investigators who ruined or destroyed a case because of incompetence or arrogance are all too familiar You must have a complete understanding of the risks when you embark

A Special Note About Criminal Investigations

While any one of the aforementioned investigations can rise to the level of a criminal act, they are most likely to occur in instances of corporate malfeasance and external breach These investigations are often for the highest stakes The suspect’s livelihood and/or the company’s reputation and even viability are on the line, and every aspect

of the investigation is scrutinized and reworked multiple times Accuracy is paramount, with attention to the process and documentation a close second

Know your process, know your tools, and above all know your limits For an internal investigator, these cases can be particularly problematic as the pressure to muddle or even suppress the truth can be intense In these situations, it’s best to encourage the use of an external forensic investigator As an external forensic investigator, be judicious in selecting in which criminal matters you get involved

These cases play out in the media, with the latest happenings of the court showing

up on the 6 o’clock news Credibility of the investigator is also at a premium, and if you don’t have the proper credentials and background to testify properly on your findings, your credibility will be destroyed on the stand in a very public forum

in the courtroom We’ve seen entire cases thrown out or monetary sanctions imposed as

a result of faulty methods used in the preservation or collection of relevant data

Resolving Bias

Always practice full disclosure with your clients, internal and external Discuss with them potential conflicts of interest If you had dinner at the suspect’s house two years ago, make sure they know about it If the other side knows about it but your guys don’t, you are in for a bad time during and after deposition Don’t be afraid to recommend a third-party firm or investigator who can conduct the investigation in an unbiased manner

Investigator Qualifi cations

investigators tell war stories about going against “newbies.” These stories always end badly for the newbie Don’t be the subject of one of these stories If you are not properly qualified and credentialed to perform the investigation, the court will throw out your findings and you will be in a world of hurt with your superiors.

Investigator Use of Evidence

Begin an investigation with an open mind, and take the unsubstantiated words of others with a grain of salt The tools and the processes exist for a reason; use them and trust them The more that politics and personal agendas influence your analysis, the less credible your results become in court

Being a Good Investigator

Know your limits, and don’t be afraid to call in qualified professionals if the situation requires it This may sound basic, but practice with your tools Constantly revalidate

them They leave the deposition with egos deflated, wishing that they had finished reading this book.

ELEMENTS OF A GOOD PROCESS

The task of a computer forensics investigator is difficult It is one of the most adversarial occupations in information technology You will have every aspect of your technical competency and methods scrutinized to their very core As such, it is imperative that you use a deterministic, repeatable process that is clear, concise, and simple Adherence

to this process is the examiner’s greatest asset Deviate from it, and your investigation will be for naught Having a defined, proven process means you show several elements:

Cross-validation

Whenever possible, rely on more than one tool to back up your findings Cross-validation

is one of the key tools available to the forensic investigator If you trust only one tool in your investigation, you live and die by that tool If the opposing counsel can rip holes in the single tool you use, it doesn’t matter how solid your investigative process is A member of law enforcement once told me that he would assume that he could win cases based solely on the fact that the defense used a tool he knew had several holes You can

Proper Evidence Handling

A good rule to follow as a forensic investigator is the same one taught to all incoming medical students: First, no do harm Computer evidence is notoriously subject to the

“observer effect”: the mere act of viewing data on a system without using proper forensic techniques can cause the data in the system to change You must be able to show that the evidence you present in court is exactly the same as the evidence that existed at the time

it was collected That means you must not modify the evidence in any way as part of your investigation

The forensic investigator must always be aware of the chain of custody of evidence after collection It is vital that you show who had access to the evidence, what they did with it, and that no tampering with the evidence occurred Become familiar with the different cryptographic hashing functions, such as MD5 and SHA-1 These algorithms act like fingerprints, allowing you to show mathematically that the evidence is the same today as the day the investigator collected it Also, always keep records of who accesses evidence, when they access the evidence, and what they do with it This will help to refute evidence injection arguments that the opposing counsel may make during litigation

Completeness of Investigation

When conducting an investigation, a forensics investigator has to be able to show that she conducted the search for evidence in a complete manner Lawyers hate new evidence brought up days before court time that they didn’t know about The clients they represent hate it even more when that new evidence causes them to lose the case Know what you know and know what you don’t know Follow your counsel’s direction on what evidence

to look for and don’t go outside the scope of that But use a process that ensures that you will locate every piece and reference to that evidence If you don’t use a solid, tested process for evidence collection, analysis, and reporting, you will miss evidence

Management of Archives

In the legal world, just because a judge has ruled does not mean the case is over An investigator may be asked to rework a case months or years after the initial investigation

This makes it imperative always to ensure that proper archiving and case management

is part of the process If counsel comes back six months after a ruling asking you to rework a case for the appeal, you must be able to fulfill that request This means proper document retention, data storage, and backup policies As with your initial testimony, you will be required to show proper evidence handling and authenticity of the data The last thing you want as an investigator is to formally request the opposing counsel for an image of a hard drive because your process didn’t include proper retention procedures

Technical Competency

your tool’s assumptions If you do settle on a specific toolset, understand the tradeoffs that the developers made when designing the tool Know your toolset’s weaknesses and strengths so you can stand by it when questioned.

A prime example of this is the way that the novice investigator treats digital signatures

It is common for someone with a basic understanding of a cryptographic hash to make the statement that “each dataset will create a unique hash.” While this statement is true

as a matter of practice, the “birthday attack” shows that this can be subverted If you understand hashing and are familiar with the birthday attack, it is easy to address this subversion when questioned If you don’t understand these basics, you will be torn apart

by the opposing expert

The birthday attack is based on the fact that if you continually change input datasets, the resulting hash will be the same alarmingly more often than one would expect Its name is derived from the fact that with 23 people in a room, there is approximately a 50 percent chance that two of them share a birthday on the same day of the year

Explicit Defi nition and Justifi cation for the Process

Hardware malfunctions Software crashes You must conduct your investigation in a manner that allows you to retrace all your steps You must follow a discrete and clear path while performing an investigation that is easily explainable to a judge and opposing counsel If you end up questioned on your methodology and the line of thinking that led you to the results you are presenting, you have to justify yourself Do this by showing the steps and walking others through the investigation If, when questioned on your methods, you can’t provide clear evidence that they were correct, the investigation was for naught

Legal Compliance

Always ensure that your process conforms to the laws in the jurisdiction of the investigation For an internal corporate investigation, ensure that it complies with the corporate policies set forth The most technically creative and astute investigations are meaningless if they don’t adhere to the legal rules of the case Talk to the lawyers or the corporate higher-ups Get feedback on how the investigation should proceed, the type of evidence desired, and where the legal or corporate policy landmines exist Remember that at the end of the day, the role of the investigator is a supporting role in a much bigger play Talk to the legal or corporate experts and don’t perform the investigation in a vacuum

Flexibility

worthless Make sure you design your process to handle new technologies and requirements that may pop up as the investigation continues, and as you take on new investigations.

DEFINING A PROCESS

Now that you know what makes a good forensic investigator and what the elements of

a sound process are, let’s define a process The remainder of the chapter will focus on the process used by the Electronic Discovery Reference Model (EDRM) The EDRM is an industry working group that was created in May 2005 to create an industry standard process for the analysis and production of electronic data It is sound and has been tested

in both legal and technical aspects In addition, it is flexible enough to handle the diverse requirements that you may see as an investigator

Following are the relevant stages of the EDRM:

The EDRM working group comprises industry members from all areas of electronic discovery and forensics (including the two authors of this book) For more information on the EDRM project, visit www.EDRM.net

To understand the process as a whole, you must understand what each step in the methodology entails

Identifi cation

This first phase of the process details what you do when you’re presented with a case and need to determine a course of action Five core steps guide you through the initial identification phase:

1 Determine scope and quantity of the data This requires that you, as the

investigator, work with the individuals requesting the examination to determine what the investigation will cover and approximately how much data the investigation will entail